The `Unprotected Login`
Inter-Net Fraud League (I-NFL) Hall of Shame

Last updated: Tuesday, September 20, 2005


Found more sites, an error, or a secure version? Join our contributors, update the Inter-Net Fraud League Commissioner:
Amir Herzberg (I-NFL Commissioner and developer of TrustBar – improving browsing security)

Associate Professor, Dept. of Computer Science, Bar Ilan University and proud member of DigiCrime, Inc.


The information here is based on my observations and professional experience, and presented only for educational and research purposes.  It is not a recommendation to use or not use any particular service, and may be outdated or mistaken. Please inform me of errors


Shame on them! (Why? And what does the FDIC think of it?)

Install TrustBar to detect unprotected and spoofed sites and – as of version - automatically redirect users to a protected login page when available !!

Phishing and Spoofing Q&A


Unprotected login sites (* sites: TrustBar automatically redirects to a protected login!)



Banks and financial institutions

PayPal *(apparently only from outside US), Chase*, SmithBarney* (CitiGroup), Bank of America* (also BoA with wrong domain), TD Waterhouse*, Amex*, FirstCommand Bank, MidFirst Bank*

Wachovia*, Washington Mutual (WaMu), Zions, Lasalle* (of ABN AMRO, similar site – but unprotected…), USBank*

Security services (single sign on, CA)

MicroSoft Passport, EquiFax, InstantSSL

Portals, webmail, etc.

Yahoo!, Hotmail, NetVision, GoldMail

Merchants, eZines, others

Amazon, New York Times, Travelocity

Protected login sites, but not identified using their corporate name (e.g. identified using a web service provider)

CityBank, CapitalOne


Some screenshots (most using FireFox with TrustBar for improved security indicators)

Banks and Financial Institutions

Security and other (insecure) login sites




Contributions to the Hall of Shame

Please inform us of additional unprotected login pages, or of current entries that appear to be protected (this could be a mistake, a fixed site, or a geography-dependant site, e.g. PayPal). To contribute, it is best if you copy the I-NFL Commissioner on a letter (physical or e-mail) sent to the company, asking them to protect their site and informing them that if they don't, it will be listed in the Hall of Shame. [But if you are lazy, just send me e-mail.] Please also send me any responses from the company.


The following individuals have contributed entries: Yehuda Lindell, Libby Berkovitz, Ricardo Camba and Aviv Sinai. Thanks!!



  1. I'm based in Israel and that's where I access sites. Some sites, e.g. PayPal, apparently work Ok when accessed from other places, e.g. the USA. The difference is (probably) due to their using a Content Distribution Network (CDN) solution. I think that the fact they protect their US site implies they should also protect the site when accessed from other places…
  2.  I'm doing a reasonable effort to contact the companies _before_ posting them on this list. Some, indeed, fixed their sites after my warning. Unfortunately, many companies did not fix their sites (as you can see!). If you have some contact in any of these companies, you are encouraged to try to get them to fix their sites. Also let me know if you find any site that is now protected… For example, Mr. Harvey Nice from Glenview, Il informed me today that Wells-Fargo site is protected, so I confirmed it and removed it.
  3. As of version, TrustBar provides two defenses for users of unprotected login pages. First, for many unprotected login sites, we know of an alternative, protected login site (marked by * after the name of the site in the table above). In such cases, TrustBar will automatically redirect to the protected site. Second. TrustBar checks any unprotected site for which the user `assigns` name/logo, for changes. Sites that do not change for five visits, and considered `static`, and TrustBar displays `Same since <date>` to establish trust in them. When they do change, TrustBar warns the user. This helps, especially for sites that invoke SSL to encrypt the password in transit (as most unprotected login pages do, esp. of banks). So try it…